CVE-2016-10531

Published: 31 May 2018

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
node-marked
Launchpad, Ubuntu, Debian
Upstream
Released (0.3.6)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(0.3.6+dfsg-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(0.3.6+dfsg-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(0.3.6+dfsg-1)
Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Ubuntu 12.04 ESM (Precise Pangolin) Does not exist